Carl Bäckström
03/08/2023, 4:55 PMdocument:read
) and then bundle these up into dynamic roles.
You would then be able to validate the permissions rather than the actual role of a user allowing new roles to be added more easily. Is this something that could be accomplished with Cerbos or is this even something we would want to do with Cerbos?Guillaume Picard
03/09/2023, 5:25 AMapiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
resource: "batching_group"
rules:
- actions: ['delete']
effect: EFFECT_ALLOW
roles: ['*']
condition:
match:
expr: ("delete:batching_group" in request.aux_data.jwt.claims)
Carl Bäckström
03/09/2023, 9:00 AMCharith (Cerbos)
03/09/2023, 9:24 AM- actions: ['document:read', 'document:write']
effect: EFFECT_ALLOW
roles: ['document_rw']
There's a write-up about this here: https://cerbos.dev/blog/context-aware-authorization-with-auth0-cerbos